Notice of Pre-AIA  or AIA  Status
The present application, filed on or after March 16, 2013, is being examined under the first inventor to file provisions of the AIA .

DETAILED ACTION
This Office Action is in response to the application 16/146,142 filed on 06/02/2021; Claims 1, 12, and 19 have been amended; Claims 1, 12, and 19 are independent claims.  Claims 1-20 have been examined and are pending. 
Authorization for this Examiner’s Amendment was given in a telephone interview with Applicant’s representative, Mr. GIRTZ, CHRISTIAN (Reg. No.: 68613) has agreed and authorized the Examiner to amend claims 1 and 12; cancel claims 5-6, 14-15, and 19-20.

Examiner’s Amendments Claims
Replacing claims 1-20 as following:
1.	(Currently Amended)	A system for detecting malicious activity in a computer system, the system comprising:
	a computing platform including computing hardware of at least one processor and memory operably coupled to the at least one processor; and
	instructions that, when executed on the computing platform, cause the computing platform to implement:
	a gathering tool configured to: 
, wherein the plurality of computer system objects are selected using a trained choice model, the trained choice model being previously trained by a training sample having a known maliciousness, and
	determine a plurality of relationships between the plurality of computer system objects, 
		a graph-building tool configured to: 
	build at least a first intermediate graph and a second intermediate graph based on the plurality of computer system objects and the plurality of relationships, wherein the first and second intermediate graphs are formed with the plurality of computer system objects as vertices and the plurality of relationships as edges, and
	build a final graph based on the at least first and second intermediate graphs, wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph,
		a search tool configured to: 
	select, from a graphs database including a plurality of preexisting graphs, at least one particular preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one particular preexisting graph assigned a malicious activity ratio,
, and
a re-training tool configured to retrain the trained choice model based on the determination of malicious activity by: 
	reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering tool, and 
reducing a resource consumption for the graph-building tool from the first instance of the gathering tool to the second instance of the gathering tool.

2. 	(Previously Presented)	The system of claim 1, wherein the plurality of computer system objects are at least one of a file, a network packet, a website, a page of random access memory (RAM), a system process, an operating system object, an operating system event, an entry in an operating system log, an entry in an application log, an entry in a master file table (MFT), or an entry in an operating system registry.

3. 	(Previously Presented)	The system of claim 1, wherein the gathering tool is further configured to determine at least one of plurality of relationships by determining a degree of reliability of a relationship between two of the plurality of computer system objects as a numerical value characterizing the probability that a first of the two of the plurality of computer system objects has a logical or functional relationship to a second of the two of the plurality of computer system objects.

4. 	(Previously Presented)	The system of claim 3, wherein the gathering tool is further configured to send the information about the computer system for the plurality of computer system objects and the plurality of relationships to the graph-building tool when the degree of reliability exceeds a reliability threshold value.

5-6. 	(Cancelled)	 

7. 	(Previously Presented)	The system of claim 1, wherein the graph-building tool is further configured to optimize the final graph by at least reducing a relationship between computer system objects, eliminating computer system objects having a predefined object characteristic, eliminating relationships having a predefined relationship characteristic, eliminating duplicated relationships, or minimizing a number of intersections between relationship lines.

8. 	(Previously Presented)	The system of claim 1, wherein the graphs database is populated with graphs based on the plurality of computer system objects and known malicious activity.

9. 	(Original)	The system of claim 1, wherein the analysis tool is configured to determine malicious activity by analyzing the malicious activity ratio of the at least one particular preexisting graph and the similarity of the at least one particular preexisting graph to the final graph.

10. 	(Original)	The system of claim 9, wherein the malicious activity ratio is calculated according to:
            
                w
                =
                
                    
                        ∏
                        
                            i
                            =
                            1
                        
                        
                            N
                        
                    
                    
                        
                            
                                1
                                -
                                
                                    
                                        ∏
                                        
                                            j
                                            =
                                            1
                                        
                                        
                                            M
                                        
                                    
                                    
                                        
                                            
                                                1
                                                -
                                                
                                                    
                                                        
                                                            
                                                                c
                                                            
                                                            
                                                                {
                                                                i
                                                                ,
                                                                j
                                                                }
                                                            
                                                        
                                                        ×
                                                        w
                                                    
                                                    
                                                        j
                                                    
                                                
                                            
                                        
                                    
                                
                            
                        
                    
                
            
        
wherein             
                w
            
         is the malicious activity ratio of the computer system under analysis;
            
                
                    
                        w
                    
                    
                        j
                    
                
            
        	is the malicious activity ratio of a graph  j selected from the graphs database;
            
                
                    
                        c
                    
                    
                        {
                        i
                        ,
                        j
                        }
                    
                
            
        	is the degree of similarity between a graph i and the graph j selected from the graphs database;
            
                N
            
        	is the number of built graphs for the computer system under analysis; and
            
                M
            
        	is the number of graphs selected from the graphs database.

11. 	(Original)	The system of claim 1, wherein the first and second intermediate graphs are formed according to a graph diameter less than a specified diameter.

12. 	(Currently Amended)	A method for detecting malicious activity in a computer system, the method comprising:
	collecting information about the computer system for a plurality of computer system objects using a gathering tool, wherein the plurality of computer system objects are selected using a trained choice model, the trained choice model being previously trained by a training sample having a known maliciousness;
	determining a plurality of relationships between the plurality of computer system objects;
 using a graph-building tool, wherein the first and second intermediate graphs are formed with the plurality of computer system objects as vertices and the plurality of relationships as edges;
	building a final graph based on the at least first and second intermediate graphs using the graph-building tool, wherein the final graph includes at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph and at least one edge connecting the at least one vertex from the first intermediate graph and at least one vertex from the second intermediate graph;
	selecting, from a graphs database including a plurality of preexisting graphs, at least one particular preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one particular preexisting graph assigned a malicious activity ratio; [[and]]
	determining malicious activity based on the at least one particular preexisting graph; and
retraining the trained choice model based on the determination of malicious activity by: 
reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering tool, and 
reducing a resource consumption for the graph-building tool from the first instance of the gathering tool to the second instance of the gathering tool.



14-15. 	(Cancelled)	

16. 	(Previously Presented)	The method of claim 12, further comprising:
	optimizing the final graph by at least reducing a relationship between computer system objects, eliminating computer system objects having a predefined object characteristic, eliminating relationships having a predefined relationship characteristic, eliminating duplicated relationships, or minimizing a number of intersections between relationship lines.

17. 	(Original)	The method of claim 12, wherein determining malicious activity includes analyzing the malicious activity ratio of the at least one particular preexisting graph and the similarity of the at least one particular preexisting graph to the final graph.

18. 	(Original)	The method of claim 12, wherein the first and second intermediate graphs are formed according to a graph diameter less than a specified diameter.


 

Examiner's Statement of reason for Allowance
Claims 1-4, 7-13, and 16-18 are allowed.
The following is an examiner’s statement of reasons for allowance: 
The invention is directed a method/system for Systems and methods for detecting malicious activity in a computer system.  One or more graphs can be generated based on information objects about the computer system and relationships between the information objects, where the information objects are vertices in the graphs and the relationships are edges in the graphs.  Comparison of generated graphs to existing graphs can determine a likelihood of malicious activity. 
The closest prior arts are Ladnai et al. (“Ladnai,” US 2017/0300690), Quinlan et al. (“Quinlan,” US 2017/0337375), and Levy (“Levy,” US 2019/0215329) are generally directed to involves the system has a computing platform provided with a processor and operatively coupled to a computing hardware of a memory.  A collecting tool collects information of multiple information objects of a computer system and determines relationships between multiple information objects.  A search tool selects a pre-pattern similar to a final pattern from a pattern database based on a similarity threshold value and assigns a graph in malicious activity rate.  An analysis tool determines a malicious activity based on a pre-pattern. 
 
“collecting information about the computer system for a plurality of computer system objects using a gathering tool, wherein the plurality of computer system objects are selected using a trained choice model, the trained choice model being previously trained by a training sample having a known maliciousness” and “select, from a graphs database including a plurality of preexisting graphs, at least one particular preexisting graph similar to the final graph based on a degree of similarity threshold, the at least one particular preexisting graph assigned a malicious activity ratio, an analysis tool configured to determine malicious activity based on the at least one particular preexisting graph, and a re-training tool configured to retrain the trained choice model based on the determination of malicious activity by: reducing the plurality of computer system objects for which information is collected by the gathering tool from a first instance of the gathering tool to a second instance of the gathering tool, and reducing a resource consumption for the graph-building tool from the first instance of the gathering tool to the second instance of the gathering tool.”
This feature in light of other features, when considered as a whole, in the independent claims 1 and 12 are allowable over the prior arts of record.
Any comments considered necessary by applicant must be submitted no later than the payment of the issue fee and, to avoid processing delays, should preferably accompany the issue fee.  Such submissions should be clearly labeled “Comments on Statement of Reasons for Allowance.”

Conclusion
Any inquiry concerning this communication or earlier communications from the examiner should be directed to CANH LE whose telephone number is (571)270-1380.  The examiner can normally be reached on Monday-Friday: 6:00 AM-3:30 PM, other Friday off.
If attempts to reach the examiner by telephone are unsuccessful, the examiner’s supervisor, Luu Pham can be reached on 571-270-5002.  The fax phone number for the organization where this application or proceeding is assigned is 571-273-8300. 
Information regarding the status of an application may be obtained from the Patent Application Information Retrieval (PAIR) system.  Status information for published applications may be obtained from either Private PAIR or Public PAIR.  Status information for unpublished applications is available through Private PAIR only.  For more information about the PAIR system, see http://pair-direct.uspto.gov. Should you have questions on access to the Private PAIR system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a USPTO Customer Service Representative or access to the automated information system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000.


/Canh Le/
Examiner, Art Unit 2439
June 11th, 2021 


/LUU T PHAM/Supervisory Patent Examiner, Art Unit 2439                                                                                                                                                                                                        

l